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CLAIMS: 

What is claimed is: 

1. A method in a data processing system for reporting 
security situations, comprising the steps of: 

5 

logging events by storing event attributes as an 
event set, wherein each event set includes a source 
attribute, a target attribute and an event category 
attribute; 

10 

classifying events as groups by aggregating events 
with at least one attribute within the event set as 
an identical value; 

15 calculating severity levels for the groups; 

calculating delta severities from the severity 
levels; and 

20 propagating the delta severities to a higher-level 

correlation server, 

2. The method of claim 1, wherein the severity levels 
are calculated based on at least one of the number 
of event sets within each of the groups, the source 

25 attribute of the event sets within each of the 

groups, the target attribute of the event sets 
within each of the groups, and the event category 
attribute of the event sets within each of the 
groups ♦ 
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3. The method of claim 1, wherein the events include at 
least one of a web server event, an electronic mail 
event, a Trojan horse, denial of service, a virus, a 
network event, an authentication failure, and an 
access violation. 

4. The method of claim 1, further comprising: 

calculating the threshold value based on at least 
one of the source attribute of the event sets within 
the group, the target attribute of the event sets 
within the group, the event category attribute in 
each event set of the group, and the number of 
attributes in each event set of the group that are 
held constant across all of the event sets in the 
group . 

5. The method of claim 1, wherein the target attribute 
represents one of a computer and a collection of 
computers . 

6. The method of claim 1, wherein the source attribute 
represents one of a computer and a collection of 
computers , 

7. The method of claim 1, further comprising: 

aggregating a subset of the groups into a combined 
group . 
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8. A method, in a data processing system, of 
establishing a severity level for multiple groups of 
computers , comprising : 

receiving a plurality of delta severity levels; 

performing a first mathematical operation on the 
plurality of delta severity levels to form a new delta 
severity level; 

if the data processing system is the top level of a 
hierarchy of servers, performing a second mathematical 
operation on the new delta severity level and a stored 
severity level to form a new severity level; and 

if the data processing system is not the top level of a 
hierarchy of servers, propagating the new delta severity 
level to a higher-level correlation server. 

9. The method of claim 8, wherein the first 
mathematical operation is one of addition, arithmetic 
mean, and geometric mean. 

10. The method of claim 8, wherein the second 
mathematical operation is one of addition, arithmetic 
mean, and geometric mean. 

11. A computer program product in a computer readable 
medium for reporting security events, comprising 
instructions for: 
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logging events by storing event attributes as an 
event set, wherein each event set includes a source 
attribute, a target attribute and an event category 
attribute; 

classifying events as groups by aggregating events 
with at least one attribute within the event set as 
an identical value; 



10 calculating severity levels for the groups; 

calculating delta severities from the severity 
levels ; and 

15 propagating the delta severities to a higher-level 

correlation server . 

12. The computer program product of claim 11, wherein 

the severity levels are calculated based on at least 
one of the number of event sets within each of the 
20 groups, the source attribute of the event sets 

within each of the groups, the target attribute of 
the event sets within each of the groups, and the 
event category attribute of the event sets within 
each of the groups. 

25 13. The computer program product of claim 11, wherein 
the events include at least one of a web server 
event, an electronic mail event, a Trojan horse, 
denial of service, a virus, a network event, an 
authentication failure, and an access violation. 
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14. The computer program product of claim 11, comprising 
additional instructions for: 



calculating the threshold value based on at least 
5 one of the source attribute of the event sets within 

the group, the target attribute of the event sets 
within the group, the event category attribute in 
each event set of the group, and the number of 
attributes in each event set of the group that are 
10 held constant across all of the event sets in the 

group . 



15. The computer program product of claim 11, wherein 
the target attribute represents one of a computer 
and a collection of computers. 



15 16. The computer program product of claim 11, wherein 
the source attribute represents one of a computer 
and a collection of computers. 
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17. The computer program product of claim 11, comprising 
additional instructions for: 

aggregating a subset of the groups into a combined 
group . 



18. A computer program product in a computer readable 
medium, containing instruction code operable in a 
25 data processing system, comprising instructions for: 



receiving a plurality of delta severity levels; 
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performing a first mathematical operation on the 
plurality of delta severity levels to form a new 
delta severity level; 

5 if the data processing system is the top level of a 

hierarchy of servers, performing a second 
mathematical operation on the new delta severity 
level and a stored severity level to form a new 
severity level; and 

10 

if the data processing system is not the top level 
of a hierarchy of servers, propagating the new delta 
severity level to a higher-level correlation server. 

19. The computer program product of claim 18, wherein 

15 the first mathematical operation is one of addition, 

arithmetic mean, and geometric mean. 

20. The computer program product of claim 18, wherein 
the second mathematical operation is one of 
addition, arithmetic mean, and geometric mean. 

20 21. A data processing system for reporting security 
events , comprising : 

a bus system; 

25 a memory; 

a processing unit, wherein the processing unit 
includes at least one processor; and 
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a set of instructions within the memory, 

wherein the processing unit executes the set of 
instructions to perform the acts of: 

logging events by storing event attributes as an 
event set, wherein each event set includes a source 
attribute, a target attribute and an event category 
attribute; 

classifying events as groups by aggregating events 
with at least one attribute within the event set as 
an identical value; 

calculating severity levels for the groups; 

calculating delta severities from the severity 
levels; and 

propagating the delta severities to a higher-level 
correlation server . 

22. The data processing system of claim 21, wherein the 
severity levels are calculated based on at least one 
of the number of event sets within each of the 
groups, the source attribute of the event sets 
within each of the groups, the target attribute of 
the event sets within each of the groups, and the 
event category attribute of the event sets within 
each of the groups. 
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23. The data processing system of claim 21, wherein the 
events include at least one of a web server event, 
an electronic mail event, a Trojan horse, denial of 
service, a virus, a network event, an authentication 
5 failure, and an access violation. 



24. The data processing system of claim 21, wherein the 
processing unit executes the set of instructions to 
perform the act of: 

10 calculating the threshold value based on at least 

one of the source attribute of the event sets within 
the group, the target attribute of the event sets 
within the group, the event category attribute in 
each event set of the group, and the number of 

15 attributes in each event set of the group that are 

held constant across all of the event sets in the 
group . 



25. The data processing system of claim 21, wherein the 
target attribute represents one of a computer and a 
20 collection of computers. 



26. 



The data processing system of claim 21, wherein the 
source attribute represents one of a computer and a 
collection of computers. 
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27. The data processing system of claim 21, wherein the 
processing unit executes the set of instructions to 
perform the act of: 

aggregating a subset of the groups into a combined 
group . 

28. A data processing system for reporting security 
events , comprising : 

a bus system; 

a memory; 

a processing unit, wherein the processing unit 
includes at least one processor; and 

a set of instructions within the memory, 

wherein the processing unit executes the set of 
instructions to perform the acts of: 

receiving a plurality of delta severity levels; 

performing a first mathematical operation on the 
plurality of delta severity levels to form a new 
delta severity level; 

if the data processing system is the top level of a 
hierarchy of servers, performing a second 
mathematical operation on the new delta severity 
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level and a stored severity level to form a new 
severity level; and 

if the data processing system is not the top level 
of a hierarchy of servers, propagating the new delta 
severity level to a higher-level correlation server. 

29. The computer program product of claim 28, wherein 
the first mathematical operation is one of addition, 
arithmetic mean, and geometric mean. 

30. The computer program product of claim 28, wherein 
the second mathematical operation is one of addition, 
arithmetic mean, and geometric mean. 



